» google_container_analysis_occurrence

An occurrence is an instance of a Note, or type of analysis that can be done for a resource.

To get more information about Occurrence, see:

» Example Usage - Container Analysis Occurrence Kms

resource "google_binary_authorization_attestor" "attestor" {
  name = "attestor"
  attestation_authority_note {
    note_reference = google_container_analysis_note.note.name
    public_keys {
      id = data.google_kms_crypto_key_version.version.id
      pkix_public_key {
        public_key_pem      = data.google_kms_crypto_key_version.version.public_key[0].pem
        signature_algorithm = data.google_kms_crypto_key_version.version.public_key[0].algorithm

resource "google_container_analysis_note" "note" {
  name = "attestation-note"
  attestation_authority {
    hint {
      human_readable_name = "Attestor Note"

data "google_kms_key_ring" "keyring" {
  name = "my-key-ring"
  location = "global"

data "google_kms_crypto_key" "crypto-key" {
  name     = "my-key"
  key_ring = data.google_kms_key_ring.keyring.self_link

data "google_kms_crypto_key_version" "version" {
  crypto_key = data.google_kms_crypto_key.crypto-key.self_link

resource "google_container_analysis_occurrence" "occurrence" {
  resource_uri = "gcr.io/my-project/my-image"
  note_name = google_container_analysis_note.note.id

  // See "Creating Attestations" Guide for expected
  // payload and signature formats.
  attestation {
    serialized_payload = filebase64("path/to/my/payload.json")
    signatures {
      public_key_id = data.google_kms_crypto_key_version.version.id
      serialized_payload = filebase64("path/to/my/payload.json.sig")

» Argument Reference

The following arguments are supported:

  • resource_uri - (Required) Required. Immutable. A URI that represents the resource for which the occurrence applies. For example, https://gcr.io/project/image@sha256:123abc for a Docker image.

  • note_name - (Required) The analysis note associated with this occurrence, in the form of projects/[PROJECT]/notes/[NOTE_ID]. This field can be used as a filter in list requests.

  • attestation - (Required) Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for lookup (how to find this attestation if you already know the authority and artifact to be verified) and intent (for which authority this attestation was intended to sign. Structure is documented below.

The attestation block supports:

  • serialized_payload - (Required) The serialized payload that is verified by one or more signatures. A base64-encoded string.

  • signatures - (Required) One or more signatures over serializedPayload. Verifier implementations should consider this attestation message verified if at least one signature verifies serializedPayload. See Signature in common.proto for more details on signature structure and verification. Structure is documented below.

The signatures block supports:

  • signature - (Optional) The content of the signature, an opaque bytestring. The payload that this signature verifies MUST be unambiguously provided with the Signature during verification. A wrapper message might provide the payload explicitly. Alternatively, a message might have a canonical serialization that can always be unambiguously computed to derive the payload.

  • public_key_id - (Required) The identifier for the public key that verifies this signature. MUST be an RFC3986 conformant URI. * When possible, the key id should be an immutable reference, such as a cryptographic digest. Examples of valid values:

  • remediation - (Optional) A description of actions that can be taken to remedy the note.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

» Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/{{project}}/occurrences/{{name}}

  • name - The name of the occurrence.

  • kind - The note kind which explicitly denotes which of the occurrence details are specified. This field can be used as a filter in list requests.

  • create_time - The time when the repository was created.

  • update_time - The time when the repository was last updated.

» Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 4 minutes.
  • update - Default is 4 minutes.
  • delete - Default is 4 minutes.

» Import

Occurrence can be imported using any of these accepted formats:

$ terraform import google_container_analysis_occurrence.default projects/{{project}}/occurrences/{{name}}
$ terraform import google_container_analysis_occurrence.default {{project}}/{{name}}
$ terraform import google_container_analysis_occurrence.default {{name}}

» User Project Overrides

This resource supports User Project Overrides.